Background of the Invention
1. Technical Field
[0001] The invention disclosed broadly relates to data processing and more particularly
relates to the establishment of a trusted path in systems with virtual terminal features.
2. Background Art
[0002] Many data processing applications involve highly confidential information such as
in financial applications, national security applications, and the like where information
enters the data processing system by means of a user typing that information at a
user terminal connected to the system. The prior art has not provided an effective
mechanism to prevent unauthorized persons or programs from reading data from a user
terminal. In prior art data processing systems, the communication path between the
local processor and the operating system software can either be forged or penetrated
by an unauthorized program known as a Trojan horse, which can masquerade as the program
with which the user intends to communicate, and can divert, replicate or otherwise
subvert the security of the confidential information being input by the user at his
terminal.
[0003] For national security applications, the United States Government has established
a standard by which the security of data processing systems can be evaluated, that
standard having been published in "Trusted Computer System Evaluation Criteria," U.S.
Department of Defense, December 1985, DoD publication number 5200.28-STD (referred
to herein as DoD Standard). The DoD Standard defines a trusted computer system as
a system that employs sufficient hardware and software integrity measures to allow
its use for processing simultaneously a range of sensitive or classified information.
A trusted computing base (TCB) is defined as the totality of protection mechanisms
within a computer system, including hardware, firmware and software, the combination
of which is responsible for enforcing a security policy. A TCB consists of one or
more components that together enforce a unified security policy over a product or
system. The ability of a TCB to correctly enforce a security policy depends solely
on the mechanisms within the TCB and on the correct input by system administrative
personnel of parameters such as a user's clearance, related to the security policy.
A trusted path is defined by the DoD Standard as a mechanism by which a person at
a terminal of a local processor can communicate directly with the trusted computing
base. The trusted path mechanism can only be activated by the person or the trusted
computing base and cannot be imitated by untrusted software. Trusted software is defined
as the software portion of a trusted computing base.
[0004] The problem of maintaining a trusted path between a local processor and a trusted
computing base in a remote processor is compounded for those operating systems which
accommodate multiple users. Some examples of prior art multi-user operating systems
which have not provided an effective mechanism for establishing a trusted path include
UNIX (UNIX is a trademark of AT&T Bell Laboratories), XENIX (XENIX is a trademark
of Microsoft Corporation) and AIX (AIX is a trademark of the IBM Corporation). UNIX
was developed and is licensed by AT&T as an operating system for a wide range of minicomputers
and microcomputers. For more information on the UNIX Operating System, the reader
is referred to "UNIX (TM) System, Users Manual, System V," published by Western Electric
Company, January 1983. A good overview of the UNIX Operating System is provided by
Brian W. Kernighan and Rob Pike in their book entitled "The UNIX Programming Environment,"
published by Prentice-Hall (1984). A more detailed description of the design of the
UNIX Operating System is to be found in a book by Maurice J. Bach, "Design of the
UNIX Operating System," published by Prentice-Hall (1986).
[0005] AT&T Bell Labs has licensed a number of parties to the use of UNIX Operating System,
and there are now several versions available. The most current version from AT&T is
Version 5.2. Another version known as the Berkley version of the UNIX Operating System
was developed by the University of California at Berkley. Microsoft Corporation has
a version known under their trademark as XENIX.
[0006] With the announcement of the IBM RT PC (RT PC are trademarks of IBM Corporation),
(RISC (reduced instruction set computer) technology personal computer) in 1985, IBM
Corporation released a new operating system called AIX which is compatible at the
application interface level with AT&T's UNIX Operating System, Version 5.2, and includes
extensions to the UNIX Operating System, Version 5.2. For a further description of
the AIX Operating System, the reader is referred to "AIX Operating System Technical
Reference," published by IBM Corporation, 2nd Edition (September 1986).
[0007] EP-A- 0,325,776 by Abhai Johri and Gary Luckenbaugh entitled "A Trusted Path Mechanism
for An Operating System," assigned to the IBM Corporation, discloses a trusted path
mechanism invention which guarantees that data typed by a user on a terminal keyboard
is protected from any intrusion by unauthorized programs. It allows a user to create
a non-forgeable and non-penetrable communication path between the user's terminal
and the trusted operating system software. The user can create a trusted path by simply
pressing a key, called the Secure Attention Key (SAK), on the terminal keyboard. This
operation can be called when the user logs into the system in order to be sure that
the user is communicating with the real login program and not a Trojan horse program
masquerading as a login program, which would steal the user's password. After the
user has established the trusted path, he can enter his critical data, such as a password,
and can be sure that his password is not being stolen by an intruder's program. Then,
after the user logs out, he can be sure that the trusted path has actually logged
him out of the system so that a Trojan horse program is not capable of continuing
the session started by the user.
[0008] The invention described in EP-A-0,325,776 is contained in a data processing system
including a memory to which is connected a plurality of terminals, with at least one
terminal including a keyboard having a Secure Attention Key. It is a method in a UNIX-type
operating system for creating, in response to the Secure Attention Key, a trusted
path between the terminal and a trusted shell portion of a trusted computing base
which is a child process of an init process under the operating system. The method
includes detecting the Secure Attention Key in a keyboard device driver connected
to the keyboard and outputting from the keyboard device driver to a Secure Attention
Key Signal Generator, information that the Secure Attention Key has been been detected.
It further includes outputting from the Secure Attention Key Generator a SIGSAK signal
to all processes operating in a process group of the terminal, terminating all of
the processes in the terminal process group. The method further includes applying
the SIGSAK signal to access authorization tables associated with all the device drivers
interfacing with the terminal, to deny access authorization to all processes in the
data processing system except the init process. The method further includes applying
the SIGSAK signal to a file access table to remove all addressing information relating
the device drivers interfacing with the terminal, to all processes in the data processing
system except the init process. The method further includes executing a fork system
call by the init process for a new child process. The method further includes executing
an exec system call to overlay a trusted shell process onto the new child process,
the trusted shell process having access authorization to the device drivers interfacing
with the terminal and the trusted shell process having an addressing relationship
defined in the file access table to the device drivers interfacing with the terminal.
Thereby a trusted path is established between the terminal and the trusted shell process.
[0009] However, the trusted path approach of EP-A-0,325,776 creates some problems when applied
in a data processor which is running multiple windows or virtual terminals, since
establishing the trusted path in one of the virtual terminals can destroy the concurrent
sessions running in the other virtual terminals on the same processor.
[0010] EP-A-0,229,336, entitled "A Virtual Terminal Subsystem" and assigned to IBM Corporation,
describes virtual terminals. This application discloses a method of, and apparatus
for, running several applications concurrently on a processing system. Virtual terminals
are created for running the applications. However, the virtual terminals perform as
though the processing system were a single terminal system. In this way, any application
written for a single terminal system can run in this multiple virtual terminal environment.
For interaction with one of the several applications running on this system, the real
physical resources of the system are reallocated to the virtual terminal running the
selected application.
[0011] EP-A-0,235 379, entitled "Virtual Terminal Monitored Mode", assigned to IBM Corporation
discloses a data processing system which gives an application running on the operating
system direct access to the output display. The system is operable in two modes. In
the first mode, if the application displays text to the output display, the output
data must go through every layer of the processing system before it reaches the output
display. In the second mode, the application can output data directly to the output
display without going through the many layers of the processing system. In this second
mode, a buffer is defined by the application. Input data from the input devices are
stored in this buffer. The application accesses the buffer for direct output to the
display.
[0012] The invention disclosed and claimed herein specifically concerns providing a mechanism
for establishing a trusted path in a data processor running several virtual terminals
in a multi-user operating system such as UNIX, XENIX, or AIX, so that unauthorized
programs are prevented from reading data in one of the virtual terminals. None of
the prior art multi-user operating systems provides a mechanism for establishing a
trusted path which is effective in preventing unauthorized programs from reading data
from a virtual terminal. The invention is defined in the independent claims.
Objects of the Invention
[0013] It is therefore an object of the invention to provide a mechanism for establishing
a trusted path in a virtual terminal.
[0014] It is still a further object of the invention to provide a mechanism for establishing
a trusted path for a multi-user operation system running virtual terminals.
[0015] It is still a further object of the invention to provide a trusted path mechanism
for a UNIX (TM)-type operating system running virtual terminals.
Summary of the Invention
[0016] These and other objects, features and advantages of the invention are accomplished
in advantageous manner by the trusted path mechanism for virtual terminals disclosed
herein. When the user is logged on to a processor running multiple virtual terminals
and he presses the Secure Attention Key, the existing virtual terminal processes are
not destroyed. Instead, the invention creates a new virtual terminal, establishes
a trusted path for the new virtual terminal, makes the new virtual terminal the current
virtual terminal, and then runs the trusted process in the new virtual terminal.
Description of the Figures
[0017] These and other objects, features and advantages of the invention will be more fully
appreciated with reference to the accompanying figures, showing an embodiment of the
present invention.
- Fig. 1
- is a schematic diagram of a data processor in its state before login, when the Secure
Attention Key is pressed by the user.
- Fig. 2
- shows the data processor in a state following that Fig. 1, wherein response to the
Secure Attention Key, all access to the screen and keyboard is revoked and all existing
processes are terminated.
- Fig. 3
- shows the state following that depicted in Fig. 2, where the trusted login process
is established.
- Fig. 4
- shows the state of the data processor after the user has logged in and has opened
an untrusted virtual terminal.
- Fig. 5
- shows the data processor in a state following that of Fig. 4, where a second untrusted
virtual terminal has been opened.
- Fig. 6
- depicts a state following that of Fig. 5, where the user presses the Secure Attention
Key to open a trusted virtual terminal, while the existing untrusted virtual terminals
remain resident.
- Fig. 7
- is a flow diagram of the trusted path functions in init.
Description of the Preferred Embodiment
[0018] Figs. 1 through 7 provide a generalized description of the trusted path mechanism
for virtual terminal environments. Fig. 1 through 6 show various states of a data
processor which includes a microprocessor connected to a memory into which is loaded
a UNIX-like operating system from a disk drive, along with a sequence of user application
programs. A terminal which includes a display monitor and a keyboard are also connected
to the memory, enabling the user to interact with programs running on the data processor.
The data processor can be the IBM RT PC previously referred to, running the AIX operating
system, which includes virtual terminal support features as described in the above
referenced EP-A-0,229,336 and EP-A-0,235 379.
[0019] The primary UNIX-type operating system file is the kernel which is loaded into the
memory from the disk drive and which is considered a part of the trusted computing
base. The kernel carries out initialization operations, organizing the system and
opening requisite files necessary to carry on multi-user and virtual terminal operations.
After the kernel completes the basic process of initialization, it starts the init
process which is the ancestor of all other processes in the system. The term process,
as used herein, is a sequence of actions, such as a user program or subroutine, which
is required to produce a desired result. Execution of processes can be begun by entering
a command, running a shell program or by being started by another process. The init
process controls the state in which the system is running and is also a part of the
trusted computing base. Included in the init process are trusted path functions which
can create a trusted path in response to the user pressing a Secure Attention Key
on the keyboard, in accordance with the invention. Background information on trusted
path operations for systems not supporting virtual terminal operations can be found
in EP-A-0,325,776, referred to above. Virtual terminal manager functions can also
be included as a part of the init process, or alternately could be a part of the kernel
process.
[0020] As is seen in Fig. 1, the terminal or console has its display connected to a screen
buffer which is a part of the memory and stores alphanumeric or all points addressable
data which is to be currently displayed on the display screen. Processes running in
a data processor can interact with the screen buffer to modify the image being displayed
on the display screen, if they are authorized to access the screen buffer by an appropriate
entry in the screen/keyboard access authorization table. The keyboard of the terminal
is connected to the keyboard driver which processes the characters output from the
keyboard. Alphanumeric and some control characters are passed from the keyboard driver
to the keyboard buffer. A keyboard image can be stored in the keyboard buffer which
can be output back to the keyboard driver for controlling the meaning of various keys
and key combinations on the keyboard. A special Secure Attention Key (SAK) on the
keyboard is intercepted by the keyboard driver and is passed to the trusted path functions
in the init process, to initiate the establishment of a trusted path. A virtual terminal
select key on the keyboard is intercepted by the keyboard driver and passed to the
virtual terminal manager functions in the init process to enable the user to selectively
interact with his choice of one of the virtual terminals which he has opened on the
data processor.
[0021] UNIX-type processes which run in the UNIX-like environment consist of three basic
portions, a program text portion, a data portion and a stack portion, as depicted
for the processes PGM1 and PGM2 in Fig. 1. The process status table, which is a part
of the trusted computing base and can either be a part of init, a part of the kernel,
or can be a separate partition in the memory, maintains an up-to-date record of the
state of each respective process resident in memory along with the user id, its status
of being a trusted or untrusted process, and its current running status. In UNIX-like
operating systems, the system call "fork" creates two newly identical copies of a
process. When a process is established, init will copy itself as the parent process
and will spawn a child process. All parts of the image of the parent process are inherited
by the child, including open files. The child process has its own data and stack portions.
The only resources shared by a parent and a child are files that were opened when
the parent underwent the "fork" system call. The child process then performs an overlay
operation upon itself of the image of the next process which is to be established.
The overlay operation is accomplished by another UNIX-like system call, the "Exec"
system call. The exec system call overlays the child process that is running, with
a new program and begins execution of the new program at its entry point. The process
id of the new program is unchanged by the exec system call. If successful, the exec
system call does not return and the calling program image is lost. In this manner,
UNIX-like operating systems create a new process. The running state of that new process
can be any one of five or more states. In a multi-programming mode of operation, a
process may be either running or runable, depending upon whether it is either currently
being executed or is waiting to be switched in from a temporary waiting state in order
to be executed. The process can also be stopped in a stopped state, where it remains
resident, but is not executed until affirmatively restarted. Some processes wait for
events to occur before being executed, this state being called the "sleeping" state.
Finally, those processes which have been terminated but not yet removed from residence
in the memory, are referred to as "zombie" processes. These various running states
are kept track in the process status table shown in the data processor of Fig. 1.
[0022] Fig. 1 depicts the state of the data processor before the user has logged in. The
data processors terminal is operating in the real mode in this state where the login
process PG1 and the startup process PG2 provide the user with an untrusted login operation.
The security problem presented to the user is that he cannot be sure if he can login
and have his user password validated without having his password or other secure information
diverted, replicated or otherwise subverted by an unauthorized person or program.
In order to establish a trusted path to a trusted login process, the user presses
the Secure Attention Key (SAK) on the keyboard in Fig. 1 and Fig. 7.
[0023] In Fig. 2, in response to the user pressing the SAK, the SAK information is intercepted
by the keyboard driver and is passed to the trusted path functions in the init process.
In response, the init process revokes all access by existing processes to the screen
buffer and the keyboard buffer, as can be seen by the change in the entries in the
screen/keyboard access authorization table. In addition, the init process terminates
all existing processes in the terminal process group, thereby assuring that any unauthorized
Trojan horse programs resident in memory will be removed. See Fig. 7.
[0024] In Fig. 3, a trusted shell process PGM3 is established. In accordance with the invention,
either the kernel or the init process includes a trusted shell process which can be
either a part of the kernel, read in from the disk storage device, or alternately
can be a separate trusted file on the disk storage device read in at the command of
either the kernel or init. A shell command is a system command interpreter in program
language, which can read commands entered at the keyboard and arrange for their execution.
The PGM3 trusted process can be a shell process which includes a trusted login process.
The init process performs a "fork" system call followed by a "exec" system call to
overlay the PGM3 trusted process as the child process of init. Since PGM3 is the child
process of init, it is authorized in the screen/keyboard access authorization table
to access the screen buffer and the keyboard buffer for the terminal. Since all other
processes associated with the terminal process group have been terminated and removed
from memory, and since PGM3 is the only resident process now authorized to interact
with the screen buffer and keyboard buffer, a trusted path is now established from
the terminal to the trusted process PGM3, which can perform a trusted login operation
for the user. See the flow diagram of Fig. 7.
[0025] Fig. 4 depicts the condition of the data processor after the user has logged in and
after he has opened an untrusted virtual terminal VT1. A detailed description of the
creation and management of virtual terminals in a data processor such as the IBM RT
PC, is more fully described in EP-A-0,229,336 referred to above. In virtual terminal
operations, on a UNIX-like operating system, several UNIX-type processes can concurrently
run in a multi-programming mode, each process being a separate virtual terminal process.
As a UNIX-type process, a virtual terminal process such as VT1 shown in Fig. 4, includes
a program portion, a data portion, and a stack portion. The data portion of the virtual
terminal process can include a screen image S1, which, when written to the screen
buffer, will provide the image to be displayed on the terminal associated with the
application running in the virtual terminal VT1. The data portion of VT1 can also
include a keyboard image K1 which, when written to the keyboard buffer, will provide
the customized keyboard definitions for the keys on the keyboard and when read from
the keyboard buffer back to the keyboard image K1, will store any character strings
which have been output from the keyboard, but which have not yet been operated upon
by the VT1 program. Although the screen image S1 and the keyboard image K1 are shown
as being a part of the data portion of the VT1 process, it is within the scope of
the invention that the screen image and the keyboard image can be stored elsewhere
in memory. The data portion of VT1 can also include other data necessary for the particular
application run on the VT1 virtual terminal.
[0026] Fig. 5 shows the data processor operating in the virtual mode where a second untrusted
virtual terminal VT2 has been opened by the user. Since VT1 and VT2 are UNIX-type
processes, they are established by the init process performing its sequential "fork"
and "exec" system calls. As each new virtual terminal process is established by init,
the last active or running process has its process id placed on top of the virtual
terminal stack VT stack, so that if a user terminates an active virtual terminal process,
the last preceding active virtual terminal process is identified by popping its id
off the VT stack and it can resume its active running state. The user can selectively
view and interact with any one of the several virtual terminals which he has opened
by pressing the virtual terminal select key on his keyboard. The keyboard driver will
pass the virtual terminal select key information to the virtual terminal manager function
associated with the init process, and the virtual terminal management operations will
be carried out as has been described in EP-A-0,229,336.
[0027] Fig. 6 shows the circumstance where the user has already established two untrusted
virtual terminal processes VT1 and VT2 which are resident in memory and the user now
wants to carry on trusted computing operations in his data processor. To accomplish
this, the user presses the Secure Attention Key (SAK) which is forwarded by the keyboard
driver to the trusted path functions of the init process. In response, the init process
revokes all access by existing processes to the screen buffer and keyboard buffer,
by changing the entries in the screen/keyboard access authorization table. If a particular
virtual terminal process VT1, for example, has an application running in it which
is performing background operations, such as lengthy statistical computations, that
process can optionally be allowed to continue its background execution, but only as
long as it does not require access to the screen buffer or the keyboard buffer. As
soon as an existing virtual terminal process requires such an access, that access
will be denied by the screen/keyboard access authorization table and the running state
of the process will be stopped. An entry signifying the state will be made to the
process status table. Alternately, all existing virtual terminal processes VT1 and
VT2 can be stopped while the trusted path is in operation. The init process now performs
a "fork" system call followed by an "exec" system call to overlay the trusted process
VT3, which is a virtual terminal process. Either the kernel process or the init process
can include the trusted virtual terminal process VT3 as a part of the trusted computing
base. Since the trusted virtual process VT3 is a child process of an init, it is authorized
to access the screen buffer and the keyboard buffer by means of the entry in the screen/keyboard
access authorization table. Since all other processes associated with the terminal
console have been stopped but remain resident in memory, and have had their authorizations
revoked for access to the screen buffer and the keyboard buffer, there is a trusted
path now established from the terminal console to the trusted virtual terminal VT3.
The trusted virtual terminal VT3 can have a variety of commands, functions, and subsidiary
programs contained within any shell process application running on VT3. An example
of this would be a secure login function whereby the user, at the terminal console,
can login his id and input his password without fear that an unauthorized user or
program will be eavesdropping on his password or other secure data.
[0028] After the user has completed his operations over the trusted path to the trusted
virtual terminal VT3, the VT3 process can be terminated. Since the VT stack now has
as the last active process, the VT2 virtual terminal process, VT2 now becomes the
active running process for the system.
[0029] The trusted path functions described above, which are a part of the init process,
are shown in the flow diagram of Fig. 7.
Implementation of the Invention in the AIX Operating System
[0030] The above discussion is necessarily of a generalized nature as far as implementation
is concerned, in order to convey the basic principles of operation of the invention
herein. The invention finds particular application in the IBM RT PC data processor
running the AIX operating system which supports virtual terminal operations. In such
an implementation, the keyboard driver referred to above has its functions variously
performed by the Virtual Resource Manager (VRM), the High Function Terminal (hft)
and the line discipline driver in the IBM RT PC data processor and AIX operating system.
The function of the process status table referred to above is performed by a file
named "/etc/utemp" in the AIX operating system. The reader is referred to the above
referenced IBM publications on the AIX operating system for additional details.
[0031] The terminal console of the IBM RT PC running the AIX operating system (AIX/RT) is
a High Function Terminal (hft) and supports multiple (up to a maximum of 16) virtual
terminals. The console is treated as the main terminal; it has an inode (/dev/console)
and its own /etc/utmp entry. All other virtual terminals, although independent, are
opened using the same single multiplexed inode (/dev/hft). After a virtual terminal
is opened, an independent inode is created in memory for that virtual terminal. Once
a user logs in to the console, he can open up to 16 virtual terminals. The hft device
also supports a key-translation mechanism, which allows users to map a given keyboard-key
to another key sequence.
[0032] The trusted path mechanism for the hft device allows the user to press the SAK any
time as follows:
(i) Before the user logs in to the console to be sure that the user is communicating
with the real login program and not a login-masquerading program.
(ii) After the user logs in to the console (and may have opened zero or more virtual
terminals) to enter the user's critical data, such as password, and be sure that it
is not being stolen by an intruder's program.
(iii) After the user logs out from the console to make sure that the user has actually
logged out from the system.
[0033] The design of the trusted path mechanism for virtual terminal applies to any UNIX
(UNIX is a trademark of AT&T Bell Laboratories) or UNIX-like operating system. However,
we will discuss the designs with reference to the implementation on the AIX operating
system with the hft support for the console.
[0034] The following features are made in the AIX operating system to implement the trusted
path mechanism with virtual terminals support:
(i) When the line discipline driver receives the SAK from the hft driver, it sends
the SIGSAK signal directly to the init process (which has process ID 1).
(ii) The UNIX program init includes functions (a) to receive the SIGSAK signal directly
from the line discipline driver, (b) to create a new virtual terminal with a trusted
path, (c) to protect a user's console or virtual terminal from unauthorized access
during the trusted path, (d) to run a trusted process for the user's console or virtual
terminal after creating a trusted path, (e) to update the user's console entry in
the /etc/utmp file indicating the existence of a trusted path for the user's hft terminal,
(f) to save the process ID (pid) of the trusted shell, and (g) to detect the termination
of a trusted path.
(iii) The Virtual Resource Manager VRM can detect the SAK at a lower level without
key-translation and pass the SAK to the corresponding hft device driver. Also, the
VRM can detect the SAK even in the monitor mode and pass the SAK key sequence to the
hft driver. The monitor mode in AIX/RT provides an efficient mode for programs to
interact with a virtual terminal directly via a memory mapped I/O bus, thus avoiding
read/write system calls.
[0035] A user can create a trusted path any time by pressing the SAK at the console or at
one of the opened virtual terminals of the hft. The SAK operates in both raw and formatted
I/O modes of the terminal. The user can press the SAK before login to the console
to make sure that the user is communicating with the real login program and not a
login-spoofing program. Or, the user can press the SAK after login to the console
to perform secure operations, such as, changing a password. Or, the user can press
the SAK after he logs out from the console to make sure that he has actually logged
out from the system.
[0036] The following provides a layered design of the trusted path mechanism with virtual
terminals support:
[0037] Detection of SAK and SIGSAK:
When a user presses the SAK at the hft terminal, the line discipline driver detects
that the SAK is from the hft, and it sends the SIGSAK signal directly to init.
[0038] Creation of a trusted path:
Upon receiving the SIGSAK signal, init creates a trusted path and runs a trusted process
on a terminal depending on the state of the running process on the console before
the SAK was pressed. The following is a discussion of the operations performed by
init for creating a trusted path and executing a trusted process.
[0039] If a user presses the SAK before login to the console, init receives the SIGSAK directly
from the line discipline driver. Init determines the type of the running process on
the console by reading the ut_type field for the console entry in the /etc/utmp file.
If the user is not logged in to the console, he will begin operating the terminal
in the real mode without any virtual terminals present and the ut_type is either INIT_PROCESS,
if the getty processor was running, or LOGIN_PROCESS, if the login processor was running.
Init terminates the getty or login process and then creates (forks) a new child process.
In the child process, it changes the access mode of the console to -rw-------(readable
and writable by the owner only), changes the owner ID and group ID to root(uid=0;
gid=0), opens the console and revokes the read/write access for the console to all
the processes using the vhangup system call. This would clean the console from any
previous access by programs. This creates a trusted path for the user's console and
protects the console from reading and writing by unauthorized programs.
[0040] Because of the access mode and ownership, only a privileged user can now open the
console. Init being a privileged program now reopens the console and executes (execs)
the getty process (a trusted process), which prompts the user for a new login.
[0041] After login to the console:
If a user presses the SAK after he has already logged in to the console, the top-level
process for the console is a user process (usually the user's login shell). The ut_type
filed for the console is either USER_PROCESS or TSH_PROCESS in the /etc/utmp file.
When a user presses the SAK at the console or at any of the opened virtual terminals,
the line discipline driver sends the SIGSAK signal to init. When init receives the
SIGSAK signal, it checks if the user is logged in to the console by reading the ut_type
field for the console entry in the /etc/utmp file. If the user is logged in then the
ut_type is either USER_PROCESS, if the trusted path was not created, or TSH_PROCESS,
if the trusted path was already created. If the trusted path was already created,
init prints a message on the console indicating that the trusted path was previously
created and the trusted shell is already running.
[0042] If the trusted path was not created, init forks a new child process and saves the
pid of this process; no existing users programs are terminated. In the child process,
it opens a new virtual terminal (if one is available) with access mode of the virtual
terminal to be -rw------(readable and writable by the owner only), makes the virtual
terminal as the current user's terminal, and changes the ut_type field for the console
entry to TSH_PROCESS in the /etc/utmp file, sets the termio parameters of the virtual
terminal to the termio values defined for the console entry in the /etc/utmp file,
and then execs the trusted shell. Note, the owner (and group) of the new virtual terminal
is root (uid=0; gid=0), since the virtual terminal was created by init, which runs
as a root process. If no virtual terminal is available, the child process prints a
message on the console indicating that the user should close at least one existing
virtual terminal to create the trusted path and run the trusted shell, and then the
child process exits. When the child process terminates, init changes the saved pid
to -1.
[0043] If the user presses the SAK after the creation of the trusted path and execution
of the trusted shell, the line discipline driver again sends the SIGSAK signal to
init. Init verifies by the positive value of the saved trusted shell pid that the
trusted shell is already running with a trusted path created. In this case, init prints
a message on the console indicating that the trusted shell is already running and
takes no further action.
[0044] When the user exits the trusted shell, init detects that it was a trusted shell by
comparing the pid of the terminating process with the pid it saved earlier for the
trusted shell. Init then changes the value of the saved pid to -1. When the trusted
shell exits, the virtual terminal is closed, which brings the user back to the previous
virtual terminal.
[0045] After log out from the console: If the user presses the SAK after closing all the
virtual terminals and logging out from the console, it will have the same effect as
before login as previously described.
1. In a data processor, including a terminal console coupled to a system memory, running
an operating system which includes a virtual terminal manager means for controlling
a plurality of existing virtual terminals in said memory, an apparatus for establishing
a trusted path between said terminal console and a trusted virtual terminal in said
memory comprising:
a secure attention request means, preferably a Secure Attention Key, in said terminal
console for outputting a secure attention request from a user;
a trusted path control means coupled to said secure attention request means, for receiving
said secure attention request;
a terminal console access authorization means coupled to said trusted path control
means, for storing the authorization for each of said existing virtual terminals to
access said terminal console, said trusted path control means, in response to said
secure attention request, outputting a revocation message to said access authorization
means revoking the authorization of each of said existing virtual terminals to access
said terminal console;
said trusted path control means establishing a trusted virtual terminal in said memory
which is part of a trusted computing base, and outputting an authorization message
to said access authorization means authorizing said trusted virtual terminal to access
said terminal console;
said trusted path control means coupled to said virtual terminal manager means for
outputting an activation message thereto to activate said trusted virtual terminal
for accessing said terminal console;
whereby a trusted path is established between said terminal console and said trusted
virtual terminal.
2. The apparatus of claim 1, wherein said operating system is a UNIX-like operating system
and said trusted path control means is a part of an init parent process which is a
part of said trusted computing base, said trusted virtual terminal being a child process
of said init process.
3. The apparatus of claim 1 or 2, wherein said trusted virtual terminal has associated
therewith a screen image portion and keyboard image portion which are respectively
written to a screen buffer and a keyboard buffer of said terminal console when said
trusted virtual terminal is activated in response to said secure attention request.
4. The apparatus of claim 2 and 3, wherein each of said plurality of existing virtual
terminals is a child process of said init process.
5. The apparatus of claim 3 or 4, wherein each of said plurality of existing virtual
terminals has associated therewith a screen image portion and a keyboard image portion
which are respectively written to said screen buffer and said keyboard buffer of said
terminal console when each respective one of said plurality of existing virtual terminals
is activated.
6. The apparatus of claim 4 and 5 which further comprises:
a virtual terminal stack means coupled to said virtual terminal manager means for
storing in a last in-first out order, the identity of each of said plurality of existing
virtual terminals when it is deactivated in response to said revocation message from
said trusted path control means;
said virtual terminal manager means reactivating a last deactivated one of said plurality
of existing virtual terminals indicated by said virtual terminal start means when
said trusted virtual terminal terminates its active status.
7. In a data processor, including a terminal console coupled to a system memory, running
an operating system which includes a virtual terminal manager means for controlling
a plurality of virtual terminals in said memory, a method for establishing a trusted
path from said terminal console to a trusted process in said memory, comprising the
steps of:
receiving a secure attention request from a user;
terminating in response to said request, all existing processes associated with said
terminal console and revoking their access thereto when said user is not logged onto
said terminal console, and then establishing a trusted login process;
deactivating in responsive to said request, all existing virtual terminal processes
associated with said terminal console and revoking their access thereto when said
user is logged onto said terminal console, and then establishing a trusted virtual
terminal process.
8. In a data processor, including a terminal console coupled to a system memory, running
an operating system which includes a virtual terminal manager means controlling a
plurality of existing virtual terminals in said memory, a method for establishing
a trusted path between said terminal console and a trusted virtual terminal in said
memory, comprising:
inputting a secure attention request from a user at said terminal console;
revoking the access authorization of each of said existing virtual terminals to access
said terminal console, in response to said secure attention request;
establishing a trusted virtual terminal in said memory which is a part of a trusted
computing base in response to said secure attention request;
authorizing said trusted virtual terminal to access said terminal console;
activating said trusted virtual terminal to access said terminal console over a trusted
path established therebetween.
9. The method of claim 8 wherein said operating system is a UNIX-like operating system
and said trusted virtual terminal is a child process of an init process which is a
part of said trusted computing base.
10. The method of claim 9 which further comprises writing a screen image and a keyboard
image associated with said trusted virtual terminal, respectively to a screen buffer
and a keyboard buffer of said terminal console when said trusted virtual terminal
is activated in response to said secure attention request.
1. In einem Datenprozessor mit einer Terminalkonsole, die mit einem Systemspeicher verbunden
ist, der mit einem eine Verwaltungseinrichtung für virtuelle Terminals zur Steuerung
einer Vielzahl von bestehenden virtuellen Terminals in diesem Speicher umfassenden
Betriebssystem arbeitet, umfaßt eine Vorrichtung zum Aufbau eines Sicherheitsweges
zwischen der Terminalkonsole und einem gesicherten virtuellen Terminal in diesem Speicher
folgendes:
Mittel für eine gesicherte Abrufanforderung, vorzugsweise eine gesicherte Abruftaste,
in dieser Terminalkonsole zum Ausgeben einer gesicherten Abrufanforderung durch einen
Benutzer;
Mittel für einen gesicherten Steuerpfad, das zum Empfang der gesicherten Abrufanforderung
mit dem Mittel für eine gesicherte Abrufanforderung verbunden ist;
eine Zugriffsberechtigungseinrichtung für die Terminalkonsole, die mit dem Mittel
für den gesicherten Steuerpfad verbunden ist, um die Berechtigung eines jeden dieser
bestehenden virtuellen Terminals, auf diese Terminalkonsole zuzugreifen, zu speichern,
wobei das Mittel für einen gesicherten Steuerpfad als Antwort auf die gesicherte Abufanforderung
eine Widerrufnachricht an die Zugriffsberechtigungseinrichtung ausgibt, mit der jedem
der bestehenden virutellen Terminals die Berechtigung auf die Terminalkonsole zuzugreifen
entzogen wird;
wobei das Mittel für einen gesicherten Steuerpfad ein gesichertes virtuelles Terminal,
das Teil einer Computersicherheitsbasis ist, in diesem Speicher aufbaut, und eine
Berechtigungsnachricht an die Zugriffsberechtigungseinrichtung ausgibt, mit der das
gesicherte virtuelle Terminal die Berechtigung erhält, auf diese Terminalkonsole zuzugreifen;
wobei das Mittel für einen gesicherten Steuerpfad mit der Verwaltungseinrichtung für
virtuelle Terminals verbunden ist, die eine Aktivierungsnachricht ausgibt, damit das
gesicherte virtuelle Terminal auf die Terminalkonsole zugreift;
wodurch ein gesicherter Pfad zwischen der Terminalkonsole und dem gesicherten virtuellen
Terminal aufgebaut wird.
2. Vorrichtung gemäß Anspruch 1, bei der das Betriebssystem ein UNIX-ähnliches Betriebssystem
ist und das Mittel für einen gesicherten Steuerpfad Teil eines Init-Elternprozesses
ist, der wiederum Teil der Computersicherheitsbasis ist, wobei das gesicherte virtuelle
Terminal ein Kindprozeß dieses Init-Prozesses ist.
3. Vorrichtung gemäß Anspruch 1 oder 2, bei der dem gesicherten virtuellen Terminal ein
Anzeigenabbildteil und ein Tastaturabbildteil zugeordnet sind, die in einen Anzeigenpuffer
bzw. einen Tastaturpuffer dieser Terminalkonsole geschrieben werden, wenn das gesicherte
virtuelle Terminal als Antwort auf die gesicherte Abrufanforderung aktiviert wird.
4. Vorrichtung gemäß Anspruch 2 und 3, bei der jedes virtuelle Terminal aus dieser Vielzahl
bestehender virtueller Terminals ein Kindprozeß des Init-Prozesses ist.
5. Vorrichtung gemäß Anspruch 3 oder 4, bei der jedem virtuellen Terminal aus der Vielzahl
bestehender virtueller Terminals ein Anzeigenabbildteil und ein Tastaturabbildteil
zugeordnet sind, die in den Anzeigenpuffer bzw. in den Tastaturpuffer der Terminalkonsole
geschrieben werden, wenn das entsprechende virtuelle Terminal aus der Vielzahl bestehender
virtueller Terminals aktiviert wird.
6. Vorrichtung gemäß Anspruch 4 und 5, weiterhin umfassend: Stapelspeicher für virtuelle
Terminals, der mit der Verwaltungseinrichtung für virtuelle Terminals verbunden ist,
um in einer Last-In/First-Out-Reihenfolge die Identität eines jeden virtuellen Terminals
aus der Vielzahl bestehender virtueller Terminals zu speichern, wenn es als Antwort
auf die von dem Mittel für einen gesicherten Steuerpfad ausgegebene Widerrufnachricht
deaktiviert wird;
wobei die Verwaltungseinrichtung für virtuelle Terminals ein letztes deaktiviertes
virtuelles Terminal aus der Vielzahl bestehender virtueller Terminals, das durch die
Starteinrichtung für virtuelle Terminals angezeigt wird, reaktiviert, wenn das gesicherte
virtuelle Terminal seinen aktiven Status beendet.
7. In einem Datenprozessor mit einer Terminalkonsole, die mit einem Systemspeicher verbunden
ist, der mit einem eine Verwaltungseinrichtung für virtuelle Terminals zur Steuerung
einer Vielzahl von bestehenden virtuellen Terminals in diesem Speicher umfassenden
Betriebssystem arbeitet, umfaßt ein Verfahren zum Aufbau eines gesicherten Pfades
von der Terminalkonsole zu einem gesicherten Prozeß im Speicher die folgenden Schritte:
Empfang einer gesicherten Abrufanforderung von einem Benutzer;
die Beendigung aller bestehenden, dieser Terminalkonsole zugeordneten Prozesse als
Antwort auf diese Anforderung, und der Widerruf des Zugriffs dieser Prozesse zu ihr,
wenn der Benutzer nicht an dieser Terminalkonsole angemeldet ist, und dann der Aufbau
eines gesicherten Anmeldeprozesses;
das Deaktivieren aller dieser Terminalkonsole zugeordneten Prozesse bestehender virtueller
Terminals als Antwort auf diese Anforderung, und der Widerruf des Zugriffs dieser
Prozesse zu ihr, wenn sich dieser Benutzer an der Terminalkonsole anmeldet, und dann
der Aufbau eines gesicherten virtuellen Terminalprozesses.
8. In einem Datenprozessor mit einer Terminalkonsole, die mit einem Systemspeicher verbunden
ist, der mit einem eine Verwaltungseinrichtung für virtuelle Terminals zur Steuerung
einer Vielzahl von bestehenden virtuellen Terminals in diesem Speicher umfassenden
Betriebssystem arbeitet, umfaßt ein Verfahren zum Aufbau eines gesicherten Pfades
von der Terminalkonsole zu einem gesicherten virtuellen Terminal in diesem Speicher:
das Eingeben einer gesicherten Abrufanforderung durch einen Benutzer an dieser Terminalkonsole;
den Widerruf der Zugriffsberechtigung jeder der bestehenden virtuellen Terminals auf
diese Terminalkonsole als Antwort aus die gesicherte Abrufanforderung;
der Aufbau eines gesicherten virtuellen Terminals in diesem Speicher, das Teil einer
Computersicherheitsbasis ist als Antwort auf die gesicherte Abrufanforderung;
die Berechtigung des gesicherten virtuellen Terminals, auf die Terminalkonsole zuzugreifen;
das Aktivieren des gesicherten virtuellen Terminals zum Zugreifen auf die Terminalkonsole
über einen dazwischen aufgebauten gesicherten Steuerpfad.
9. Verfahren gemäß Anspruch 8, bei dem das Betriebsystem ein UNIX-ähnliches Betriebssystem
ist und das gesicherte virtuelle Terminal ein Kindprozeß eines Init-Prozesses ist,
der ein Teil der Computersicherheitsbasis ist.
10. Verfahren gemäß Anspruch 9, das darüber hinaus das Schreiben eines Anzeigenabbildes
und eines Tastaturabbildes, die dem gesicherten virtuellen Terminal zugeordnet sind,
in einen Anzeigenpuffer bzw. einen Tastaturpuffer der Terminalkonsole umfaßt, wenn
das gesicherte virtuelle Terminal als Antwort auf die gesicherte Abrufanforderung
aktiviert wird.
1. Dans un processeur de données comprenant une console de terminal raccordée à une mémoire
de système, faisant tourner un système d'exploitation qui comprend un moyen de gestion
de terminaux virtuels pour contrôler une pluralité de terminaux virtuels existant
dans ladite mémoire, un appareil pour établir une voie de sécurité entre ladite console
de terminal et un terminal virtuel de sécurité dans ladite mémoire, comprenant:
- un moyen de requête d'attention sécurité, de préférence une touche d'attention sécurité,
dans ladite console de terminal pour délivrer en sortie une requête d'attention sécurité
d'un utilisateur,
- un moyen de contrôle de voie de sécurité raccordé audit moyen de requête d'attention
sécurité pour recevoir ladite requête d'attention sécurité,
- un moyen d'autorisation d'accès de console de terminal raccordé audit moyen de contrôle
de voie de sécurité afin d'emmagasiner l'autorisation pour chacun desdits terminaux
virtuels existant, d'accéder à ladite console de terminal, ledit moyen de contrôle
de voie de sécurité en réponse à ladite requête d'attention sécurité, délivrant en
sortie un message de révocation audit moyen d'autorisation d'accès révoquant l'autorisation
de chacun desdits terminaux virtuels existant, d'accéder à ladite console de terminal,
- ledit moyen de contrôle de voie de sécurité établissant un terminal virtuel de sécurité
dans ladite mémoire qui fait partie d'une base de calcul de sécurité, et délivrant
en sortie un message d'autorisation audit moyen d'autorisation d'accès autorisant
ledit terminal virtuel de sécurité à accéder à ladite console de terminal,
- ledit moyen de contrôle de voie de sécurité raccordé audit moyen de gestion de terminal
virtuel pour délivrer en sortie un message d'activation pour celui ci afin d'activer
ledit terminal virtuel de sécurité pour accéder à ladite console de terminal,
ce qui assure l'établissement d'une voie de sécurité entre ladite console de terminal
et ledit terminal virtuel de sécurité.
2. L'appareil de la revendication 1 dans lequel ledit système d'exploitation est un système
d'exploitation du type UNIX et ledit moyen de contrôle de la voie de sécurité constitue
une partie d'un processus parent d'initialisation qui constitue une partie de ladite
base de calcul de sécurité, ledit terminal virtuel de sécurité étant un processus
enfant dudit processus d'initialisation.
3. L'appareil de la revendication 1 ou 2 dans lequel ledit terminal virtuel de sécurité
comprend une partie d'image d'écran et une partie d'image de clavier qui lui sont
associées et qui sont respectivement écrites dans une mémoire intermédiaire d'écran
et dans une mémoire intermédiaire de clavier de ladite console de terminal lorsque
ledit terminal virtuel de sécurité est activé en réponse à ladite requête d'attention
sécurité.
4. L'appareil selon les revendications 2 et 3 dans lequel chacun de ladite pluralité
de terminaux virtuels existant est un processus enfant dudit processus d'initialisation.
5. L'appareil de la revendication 3 ou 4 dans lequel chacun de ladite pluralité de terminaux
virtuels existant comprend une partie d'image d'écran et une partie d'image de clavier
qui leur sont associées et qui sont respectivement écrite dans ladite mémoire intermédiaire
d'écran et dans ladite mémoire intermédiaire de clavier de ladite console de terminal
lorsque chaque terminal respectif de ladite pluralité de terminaux virtuels existant,
est activé.
6. L'appareil des revendications 4 et 5 qui comprend en outre:
un moyen à pile de terminal virtuel raccordé audit moyen de gestion de terminal
virtuel pour emmagasiner dans l'ordre "dernier entré, premier sorti", l'identité de
chacun de ladite pluralité de terminaux virtuels existant lorsqu'il est désactivé
en réponse audit message de révocation issu dudit moyen de contrôle de la voie de
sécurité,
ledit moyen de gestion de terminal virtuel réactivant le dernier terminal désactivé
de ladite pluralité de terminaux virtuels existant indiqué par ledit moyen de démarrage
de terminal virtuel lorsque ledit terminal virtuel de sécurité termine son statut
actif.
7. Dans un processeur de données comprenant une console de terminal raccordée à une mémoire
de système, l'utilisation d'un système d'exploitation qui comprend un moyen de gestion
de terminaux virtuels pour contrôler une pluralité de terminaux virtuels dans ladite
mémoire, une méthode d'établissement d'une voie de sécurité entre ladite console de
terminal et un processus de sécurité dans ladite mémoire, comprenant les étapes suivantes:
la réception d'une requête d'attention sécurité d'un utilisateur,
la terminaison en réponse à ladite requête, de tous les processus existant associés
à ladite console de terminal et la révocation de leur accès à celle ci lorsque ledit
utilisateur n'a pas ouvert de session sur ladite console de terminal et ensuite, l'établissement
d'un processus d'ouverture de session de sécurité,
la désactivation en réponse à ladite requête, de tous les processus de terminaux
virtuels existant associés à ladite console de terminal et la révocation de leur accès
à celle ci lorsque ledit utilisateur a ouvert une session dans ladite console de terminal
et ensuite, l'établissement d'un processus de terminal virtuel de sécurité.
8. Dans un processeur de données comprenant une console de terminal raccordée à une mémoire
de système, l'utilisation d'un système d'exploitation qui comprend un moyen de gestion
de terminaux virtuels contrôlant une pluralité de terminaux virtuels existant dans
ladite mémoire, un procédé d'établissement d'une voie de sécurité entre ladite console
de terminal et un terminal virtuel de sécurité dans ladite mémoire, comprenant:
l'entrée d'une requête d'attention sécurité d'un utilisateur à ladite console de
terminal,
la révocation de l'autorisation d'accès de chacun desdits terminaux virtuels existant
pour accéder à ladite console de terminal en réponse à ladite requête d'attention
de sécurité,
l'établissement d'un terminal virtuel de sécurité dans ladite mémoire qui constitue
une partie d'une base de calcul de sécurité en réponse à ladite requête d'attention
de sécurité,
l'autorisation dudit terminal virtuel de sécurité d'accéder à ladite console de
terminal,
l'activation dudit terminal virtuel de sécurité pour accéder à ladite console de
terminal par une voie de sécurité établie entre ceux ci.
9. Le procédé de la revendication 8 dans lequel ledit système d'exploitation est un système
d'exploitation du type UNIX et ledit terminal virtuel de sécurité est formé d'un processus
enfant d'un processus d'initialisation qui constitue une partie de ladite base de
calcul de sécurité.
10. Le procédé de la revendication 9 qui comprend en outre l'écriture d'une image d'écran
et d'une image de clavier associées audit terminal virtuel de sécurité, respectivement,
dans une mémoire intermédiaire d'écran et une mémoire intermédiaire de clavier de
ladite console de terminal lorsque ledit terminal virtuel de sécurité est activé en
réponse à ladite requête d'attention sécurité.